My yahoo email account was sending spams at about 6:42pm EDT (the spams show 3:42pm PDT) yesterday. I realized it by receiving several "Failure Notice" emails for Yahoo was unable to deliver the spam messages to some of the intended addresses.

As much as I would like to know how to prevent such thing from happening, I would like to understand how the spam emails were possibly sent from my email account?
Is it possible that someone else accessed my account to use it to send spams?

Suppose they didn't actually log into and send emails from my account,

I wonder how the spams were also stored in my "Sent" folder?

I also checked "Recent Login Activity" of my yahoo account, but
all recorded locations and IP addresses from 4:47 PM the day before
yesterday till late yesterday night are my own. I wonder how it is possible that someone else accessed my account to use it to send spams?

Suppose they did actually log into and send spams from my account.

I wonder how they could possibly manage it, given that I had taken the following steps before the spamming happened?

My original password (p+N4th@y8yUcer4pr6HeyE2ewa2Ebu!e) was really long, 32 characters with capital and
little letters, numbers and other types of characters, generated by
some online random password generator. Also I haven't shared my password with any other website
or person. Is such a password possible
to guess?

I also used ClamTK to scan my home partition for virus and found none.

I sometimes opened spam emails, but never clicked hidden or non-hidden links in it.

Added: I just run rkhunter on my Ubuntu. The outputs of ./rkhunter -C is here and the output of ./rkhunter -c is here. They look fine, do they?

Added: Also I pasted each of the following two headers into geobytes spam locator, and found the sources of the spam emails are both from the same IP 187.41.82.250 in a different country (Brazil) from mine (USA). Does it mean the spams were actually not sent from my email account?

Had you ever accessed the account on a Windows machine? The simple answer to this question is they knew your password. Did you have a recover email set to your yahoo email account? If you access your email from a email client they didn't need to know your password since it likely was stored in the program itself. In other words they simply sent the email from your own computer.
–
RamhoundJun 15 '12 at 17:26

2

Am I correct in that you are not logged in using a mail client? (on Windows it would likely be Outlook, on Ubuntu Evolution, but there are many other apps, including phone apps, and many protocols that they would use, POP3, IMAP, etc. Additionally, if SMTP was used to send mail, it possibly does not count as logging in, as that would be done with POP3 and would be necessary for receiving.)
–
George BaileyJun 15 '12 at 21:13

1

@George: (1) I only log into my Yahoo email account using browsers Firefox (rarely Google chrome) on my Ubuntu, not from phones. (2) The spams showed that they were sent at 6:42pm EDT yesterday. I didn't realize them untill about 8pm EDT when I saw the failure notice emails in my "Inbox" sent from yahoo for it was not able to deliever the spams to some addresses and I also saw those sent spams in my "Sent". At that time I changed my password. Since then， I haven't seen any sent emails in my "Sent" or got any email notification in my "Inbox" for not being able to deliver some spams.
–
TimJun 15 '12 at 21:19

1

Did you contact Yahoo? In my case, they just sent a bunch of links to their FAQ of how to fight spams. Really unhelpful.
–
TimJun 20 '12 at 20:11

1

Does Yahoo's account activity page show logins or does it show the IP addresses of already-logged-in accounts? Could someone have stolen your login cookie and used it on another machine? Have you ever used this machine at, for example, a coffee shop? Did you have your Yahoo e-mail configured on a mobile device?
–
MikeJun 20 '12 at 20:41

2 Answers
2

There are a variety of ways in which someone can access your account, but in your instance I would say it looks as though you've either got a keylogger or a machine, a rootkit on your machine, or a dirty computer on your network that is sniffing the traffic (potentially stripping the SSL).

The reason I say this is because your password is so long and complex it's highly unlikely that it was guessed by someone and even less likely it was brute forced. The fact the last login IP on the account was your own also indicates that the account was logged into on your network would further my suspicion of a root kit or malicious back door.

Try running rkhunter on your machine and see if anything pops up. Aside from that I would check other machines on your network for bugs as well. In the meantime though, change your password on your Yahoo account to prevent further spam.

Thanks! (1) By "potentially stripping the SSL", do you mean when I was accessing my email account, the dirty machine intercepted my traffic and analyzed it to figure out my account's password? (2) I was also accessing my gmail account at the same time and more often so. It has a much shorter password with little letter and number only. I wonder why that wasn't hacked first?
–
TimJun 15 '12 at 18:13

Thanks! (1) I just run rkhunter on my Ubuntu. The outputs of ./rkhunter -C is here and the output of ./rkhunter -c is here. They look fine, do they? (2) Also I am not able to check others' computers in the same network. Besides changing my password, is there other way to protect myself more? For example, to secure more my traffic? Does installing a firefwall help?
–
TimJun 15 '12 at 19:34

(3) Also I pasted the two headers into spam locator, and found the sources of the spam emails are from a different country (Brazil) from mine (USA). Does it mean the spams were actually not sent from my email account?
–
TimJun 15 '12 at 19:34

That is quite bizarre, however if the e-mails are listed in your Sent items as you describe then it would have had to have been sent from your Yahoo server with your credentials. It's odd though that it's from a Brazilian IP address, when if the traffic was coming from your network (which the Yahoo logs claim) the attacker would have likely used an American server as that's where you reside...
–
DKNUCKLESJun 15 '12 at 20:18

sticks out as possibly important. That is it seems that they did not use a regular login into webmail but are using Yahoo's Mail Web Service API to access your account (that is you gave an third party application an OAuth token to access your account). Have you granted any applications (e.g., iOS/android app on a mobile device) or a website any sort of access to your email account?

I don't use yahoo mail regularly (have an account only for fantasy sports) and would like to check that you never see that line in your normally sent emails (e.g., when you use webmail). I'd check your Account Settings (Manage Apps and Website Connections - I think is the correct setting), and check that you haven't granted any websites/applications third-party access to your account (including the ability to send mail). (Apparently this is normal headers for sending webmail from Yahoo.)

Check that you don't have any malicious browser extensions installed on your web browser (the kind that have access to all your information and conceivably could steal login information).

Due to the high number of firefox user-scripts/plugins/extensions you are using, one of them may easily be stealing your password. Basically, a browser extension/user script that you install can do anything to any webpage if the extension has permission to load on that page. Read session cookies, see what text is typed in password fields, and even send information back to attacker-controlled servers, etc. Find your extension (~/.mozilla/firefox/[random chars].default/extensions/) and user script directory and try looking through the source code for suspicious behavior from lesser known sources. *.xpi are just zip files; open them up (and any included jar -also just a zip) and browse source. Search for things like password/passwd/yahoo in application that should have nothing to do with logging into applications.

The only things listed under "Manage Apps and Website Connections" are the stackexchange sites. Shall I remove them?
–
TimJun 15 '12 at 21:14

Hmm. So I just signed up for yahoo mail and it seems it does report your computer's IP address used when accessing webmail and says Received: from [123.123.123.123] by web122504.mail.ne1.yahoo.com via HTTP; Fri, 15 Jun 2012 14:14:35 PDTX-Mailer: YahooMailWebService/0.8.118.349524. Interesting as gmail does not publicly give your IP address out when you login via webmail (but will list it when you use SMTP from say a email client to send).
–
dr jimbobJun 15 '12 at 21:21

(1) Forgot to mention: I only log into my Yahoo email account using browsers Firefox (rarely Google chrome) on my Ubuntu, not from phones. (2) So I guess "YahooMailWebService/0.8.118.349524" means the API, and what does "X-Mailer" mean?
–
TimJun 15 '12 at 21:23